SANS Stormcast Friday, August 29th, 2025: Scans for ZIP Files; FreePBX 0-Day; Passwordstate Patch

August 28, 2025

Episode Transcript

Increasing Searches for ZIP Files
Attackers are scanning our honeypots more and more for .zip files. They are looking for backups of credential files and the like left behind by careless administrators and developers.
https://isc.sans.edu/diary/Increasing%20Searches%20for%20ZIP%20Files/32242
FreePBX Vulnerability
An upatched vulnerability in FreePBX is currently being exploited. FreePBX offers mitigation advice and has also just released a beta patch.
https://community.freepbx.org/t/security-advisory-please-lock-down-your-administrator-access/107203
Passwordstate Vulnerability
Clickstudios patched an authentication bypass vulnerability in its password manager, Passwordstate. The vulnerability can be used to access the emergency password page.
https://www.clickstudios.com.au/passwordstate-changelog.aspx

News Tech News

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Friday, August 29, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Baltimore, Maryland. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Incident Response. One story that I covered today in a diary is an increase in scanning for zip files in our web application honeypots. What this means is that the attackers are assuming and probably rightfully so that administrators are leaving random zip files with backups for credential files and the like in their web applications document route. And they're trying to essentially brute force file names here in order to retrieve those files. File names like backup.zip or env .zip are sort of some of the common file names that we're seeing there. They're constantly adding new file names, probably as they find some of these file names also on websites they are compromising. This really sort of comes back down to basic hygiene, trying to keep your deployment rules under control, where you're not just rolling out codes, creating files on a live system without the necessary constraints and restrictions. As a preventive measure, you may want to take a quick look at your web servers and check there are no zip files stored anywhere in the document route that aren't supposed to be there. If you don't have any zip files, which is probably true for a good number of websites, you should be able to also configure your web server to just not allow serving files with a .zip extension. I haven't looked at some of the other similar extensions like .gc, maybe .tar, .gc and the like to see if they're also increasing, but I would assume they are. And even if they're not yet, well, they probably will be soon. So add those extensions to the list as well. And FreePBX is warning that there is currently an actively exploited vulnerability in FreePBX that has not been fully patched at this point. The advice is to restrict access to the admin interface of FreePBX, probably a good idea anyway. The particular vulnerability appears to be in the endpoint module. If you don't have the endpoint module installed, you're not believed to be vulnerable at this particular point. And version 16 as well as 17 are affected. Versions before 16 are still being investigated according to FreePBX. So they may be vulnerable, but at this point it hasn't been confirmed. Earlier today, there was also an announcement that FreePBX released a preliminary patch for this particular vulnerability. But it states that this updated module was released for testing. It hasn't gone yet through the normal QA. So it's one of those, well, at your own risk kind of patches that you may or may not want to risk deploying. The best option probably at this point is just use firewall rules, restrict access to the admin interface or anything within FreePBX as much as possible. And then apply, of course, the patch, the final patch as soon as it's being released. I'll link to the advisory by FreePBX, which also includes additional details about how to implement certain workarounds. We're also seeing some scans for FreePBX starting today for essentially sort of some basic URLs associated with FreePBX. I don't believe the URLs being requested here are specifically associated with the vulnerability. However, they may be related to attackers just either building target lists or doing some preliminary scans before they are sending the exploit to make sure they're not hitting a honeypot, but actually only vulnerable systems. And ClickStudio, the company behind the enterprise password management tool, PasswordState, did advise its users to immediately update their installation of PasswordState to fix a critical vulnerability that could lead to access to the emergency password page in your application. There's essentially an authentication bypass that allows an attacker with a sufficiently crafty URL to access this page. This new update also fixes a clickjacking vulnerability. I did talk about this, I think it was earlier this week or last week, that there were a number of password save applications that were found to be vulnerable to clickjacking. So this is being addressed in this update as well. Well, and this is it for today. Thanks for listening. Thanks for liking and thanks for subscribing to this podcast. Also, please leave good reviews in your favorite podcast platform and talk to you again on Tuesday. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich

Contact Show